Do you want to become a penetration tester?
Are you excited about breaking into things not only for fun, but possibly earning a living doing it?
Penetration testing is one of the tech skills whose demand is at an all time high and attracts some of the most brilliant minds in the tech industry.
In fact according to Payscale the median salary for a pentester is $83,941.
A penetration tester is a highly trained information security specialist who breaks into networks and systems to find security vulnerabilities and remedy them.
This way, a penetration tester ensures that a malicious attacker cannot have access to the organization data.
Often times a penetration tester is also referred to as an ethical hacker or pen tester.
In this article we are got to look at how to become a penetration tester in 7 simple steps.
I will outline and detail each step you need to take to go from a complete beginner to a professional penetration tester in 2019.
But if you are set, check out my other article on the best resources for learning penetration testing online.
So if you are ready to start exploiting security vulnerabilities in web applications, mobile apps or computer networks…
… then this is the ultimate guide you need to become a penetration tester.
Before we get started, let me underscore that penetration testing is a very dynamic field and you must always be ready to learn new technologies fast… everyday.
Let’s get into the steps you need to take to become a pentester.
1. Getting Started
How do you get started becoming a penetration tester?
During your job as a pentester you’ll typically focus on breaking into networks, web apps and mobile apps to exploit their security vulnerabilities.
Here are 5 of the core responsibilities of a penetration tester.
- You’ll perform penetration tests on computer networks, systems and applications.
- You’ll perform physical assessment of servers, systems and other network devices to ascertain their physical safety.
- Identify methods and loopholes that an attacker might use to exploit security vulnerabilities in a system.
- You’ll research, evaluate and document pentest findings and present their business implications to management.
- Discover areas where staff or user education and awareness is needed for improved security.
The first thing you need to do to become a pentester is to read about it.
I would start by reading about cyber security in general through books, blogs and YouTube videos.
Like I already mentioned earlier, these are the best online tutorials for getting started with pentesting.
They will help you get a general idea of what cyber security is all about in general before you narrow it down to penetration testing.
After going through these materials you’ll get familiar will terms like hardware, software, networks, APIs, operating systems, databases among others.
With this general knowledge you’re ready to move to step 2 of how to become a penetration tester where you’ll learn the hard skills.
2. Learn Hard Skills
What are the hard skills that you need to become a pentester?
As a penetration tester you’ll not only be required to perform pentests to pinpoint security vulnerabilities…
… you’ll also be required to develop some of these tools on your own.
While there are many penetration testing tools out there for automated testing, a professional pentester will very often perform manual testing using custom tools.
So apart from knowing how to use these tools you also need to have computer programming skills in languages like Python so that you can write your own scripts.
With these skills you’ll be able to conduct audits, write code, automate processes and reverse engineer mobile application code binaries.
Here are some of the hard skills that you must learn to become a penetration tester.
- Learn about all the popular operating systems including Windows, Mac and Linux.
- Learn the most popular programming and scripting languages like C, C++, C#, Java, Python, PHP and PERL.
- Acquire in depth skills in network servers, server software and networking tools and software.
- Learn about reverse engineering, vulnerability analysis and forensics tools.
- Learning about the workings of both web based applications and mobile apps.
- You’ll also need to learn about network security protocols and standards.
With these hard skills you’ll be able to create your own testing tools in addition to testing computer networks and applications.
After acquiring these skills, at least at a basic level, you are ready to move to step 3 of becoming a penetration tester.
This is where you’ll get your hands dirty putting these skills to use.
3. Acquire Hands-On Skills
Penetration testing is a practical skill.
So no amount of theory that you’ll absorb from books, blog posts or YouTube videos will prepare you for the job.
If you want to become a penetration tester, you have to put the skills to practice… that’s how you master them.
But how do you start practicing your penetration testing skills?
First of all you have to set up your own penetration testing lab at home so that you can run these tools.
Using these tools you’ll be able to perform your own pentesting practice and get a feel of the practical side of penetration testing.
The easiest place to start if you are completely new is with web application penetration testing.
So with web app pentesting tools like SQLMap you’ll be able to start running simple vulnerability scans on live web applications to scout for exploitable vulnerabilities.
After getting some practice with penetration testing on web application, move to networks…
Start cracking wifi passwords.
Here are some wifi penetration testing tools that you should check out.
While performing penetration testing, it is very important to do it right.
This is because if you want to become a professional penetration tester, you have to ensure your pentests cover the full scope of tests.
I also wrote another article on the 7 step penetration testing methodology that will help you ensure that you stay on track.
By following this methodology you’ll be able to run pentests that are thorough and effective.
It’s the only way to ensure you completely secure a network or system.
Many penetration testing jobs will also require you to be aware of this penetration testing methodology and standards.
But you are not done yet.
Check the next step for additional soft skills you have to learn to become a pentester.
4. Learn Soft Skills
Penetration testing is not only about finding security vulnerabilities in networks and applications…
It is also about communicating these findings in an understandable way to your team members and management.
In fact this the most important part, as I have outlined in this network penetration testing checklist.
Since you need to be able to write reports that communicate these weaknesses, you must have strong written and oral communication skills as a pentester.
Wait, but I thought an ethical hacker stays in pajamas and hoodies and stares at a blank computer screen all day without uttering a word?
That’s a malicious hacker, not an ethical hacker boy 🙂
So every time you run a penetration test on a network using your home pentest lab, practice writing reports and recommendations.
Management team is not a technical team, they only understand numbers.
So you have to be able to relate your security findings in terms of how they would affect the company revenue, reputation and normal operations.
It means you also have to acquire business and management skills in order to be able to communicate the implications of these security flaws.
For example, say the database being erased by a malicious attacker causes the sales team to experience downtime for 3 days.
Can you show the financial impact this would have on the company?
Does your presentation have appropriate visual aids to ensure the case is clear to all stakeholders in the organization?
As you see, your oral communication skills are also very important because you’ll spend a lot of your time talking to people and explaining things.
In order to become a penetration tester, you must also have solid analytical skills to help you evaluate and analyze solutions to existing security threats.
Lastly, you must have exceptional problem solving skills to be able to determine the best course of action to take in order to protect a network from potential security threats and breaches.
So, with all these skills are you ready to go get that 6 figure pentester job?
Check out step 5 for the next thing to do if you want to become a penetration tester in 2019.
5. Take Certifications
Most employers will only hire a penetration tester with previous work experience.
But how do you get that work experience if nobody will hire you without work experience?
Sounds like a catch 22 right?
Well, there’s a workaround that, and that’s what we are going to look at in this step of how to become a penetration tester in 2019.
One more thing…
Do you have a college degree?
Some employers prefer to hire pentester who at least have a bachelor’s degree.
It could be a bachelor’s degree in computer science, information security, cyber security or any other related field.
Don’t let this put you off though.
I myself don’t have a university degree at all but have a cool pentester job.
Here is how.
First, a number of penetration testers DON’T hold a specialized degree.
Penetration testing is more about hands-on skills than course credits, so a bachelor’s degree is not necessary if you have the right practical experience and a few certifications.
This is especially true for entry level pentester jobs, but in order to move up the corporate ladder you need some BS in IT.
So if you don’t have a college degree, but have the practical pentesting experience from step 5, take a pentesting or ethical hacking certification.
Taking a certification like the Certified Ethical Hacker (CEH) certification will prove to your prospective employer that you not only have the necessary knowledge in pentesting, but also have the know how to apply it professionally.
I find taking a certification in networks and security very important in helping me do my day to day pentesting jobs.
In fact, I list some network security courses that are really great in preparing you for network security certifications.
In addition to that, taking a certification that is specific to penetration testing is also very beneficial.
It will make you stand out.
This PenTest certification by CompTIA is a great one to start with because it will equip you with the ideal know-how to carry out penetration testing.
By taking these certifications, you’ll not only be able to bridge your lack of a college degree but also your lack of work experience.
Certified Information Systems Security Professional (CISSP) certification is another great certification preferred by employers because it covers training in a number of topics, including security policies, cryptography and ethics.
Even though there are many pentesting or ethical hacking certifications out there, I find a lot of them redundant.
Now, with all this hands-on practice and certifications guess what’s next?
Go get a real job!
It’s time to find an opportunity to apply your skills in a real network or system where security has a real direct implication on people’s lives.
So in the next step of this ultimate guide on how to become a penetration tester, we’ll look into details how to get your first pentester job.
6. Get A Pentesting Job
A penetration tester will often be employed internally by a company and will form part of the network security team.
This could be at the company whose system you look to secure, or at a security firm that takes contractual outside pentesting jobs.
But you could also offer penetration testing services as a freelance, remember 🙁
I can only call you a professional pentester when someone is paying you to do this.
Otherwise, who knows what you’ve really been upto anyway?
Before we look into how to get a penetration testing job…
Let’s take a quick at what your typical day as a penetration tester might look like.
- You’ll begin your day planning a specific penetration test.
- Create or select the appropriate pentesting tools.
- Perform penetration tests on a network, system or application.
- Identify the security vulnerabilities from the data gathered.
- Finish by reviewing and documenting your findings.
Here is a complete penetration testing methodology where I explain all these steps in details.
Note that a day in the life of a pentester is very different.
You might get a full time in house job, a part time job, weekends only job, a telecommuting or remote pentesting job.
Your duties will also vary from network and application tests, physical security tests or inspections, security audits, general security reporting, involvement with security team and security policy reviews.
A few times, you might also be called upon to train other organization staff.
Just like we already saw in the previous step to becoming a penetration tester, you can circumvent the lack of a experience and degree with certifications.
For entry level pen testing jobs you’ll just need 1-3 years of experience in penetration testing, solid technical skills, and CISSP, GIAC or CISA certifications.
First, use your soft skills acquired previously to craft a very interesting résumé.
In your résumé remember to NOT just highlight your skills for the sake of it, but detail how they are of importance to an organization.
Remember companies often are more concerned about profits and reputation than anything else.
Forget what they tell you they care about!
Once you are ready with all this, start applying for penetration tester jobs.
If you are an entry level pentester you might instead try to look for an internship at a small to medium size company as they might be easier to get.
Even though an internship might not be paid it will give you the essential experience you need to get you next paying job.
This is how you solve that ‘lack of experience’ problem we were talking about.
Basically, just find any way possible to get your foot into the door.
Penetration testing or cyber security in general is a very challenging career, but if you have some skin, it is a very rewarding profession.
You’ll get a lot of opportunities to use your creative mind.
7. Get Experience
After you land your first penetration testing job, well…
It’s time to work and gain some real world experience.
But that is not all.
I am a progressive person and I am always looking for the next steps, the next thing to pursue…
After a few years of on the job experience, is there opportunity for growth in a penetration testing career?
The path to a penetration tester is not linear as there are many ways to get there.
However, this career does touch on many others so there are a ton of related specialities for an experience pentester to branch into.
So after you’ve proven your worth and experience as a junior penetration tester…
Move on to more exciting and better paying specialities like:
- Network Administrator
- Senior Penetration Tester
- Security Consultant
- Security Architect
A network administrator is responsive for the day to day security and operations of computer networks for businesses, organizations or state agencies.
You might also decide to level back up and study cyber security as a broader field.
If you came in without a college degree, you could decided to get one after you land your first pentesting job.
Do this because if you really want a promotion, more responsibilities or more management roles, most companies will need a bachelor’s degree in a related field.
Could be a bachelor’s in computer science, Information Technology (IT), Cyber Security, Network Security etc.
Heck some companies even ask for an MS!
There you have it.
Your ultimate guide to moving from a complete beginner to a senior penetration tester.
If you follow this guide step by step you’ll learn how to become a penetration tester and start earning a living doing what you love… and having fun doing it.
Even though penetration testing might sound like a very cool profession, your job will not always be fun and sunshine.
In fact a penetration tester’s job is labelled as one of the most frustrating jobs in the tech industry.
This is partly because, apart from having the technical skills required, you must always be a quick learner, very patient, creative, problem solver, critical thinker and everything in between.
You not only have to learn the different technologies and operating systems, you must understand how they work.
However, just like anything else in life, if you want to become a penetration tester, all you need to do is to get started.
There is not substitute to this.
No amount of thinking and reading about penetration testing will make you one.
Just get up and do it. It is a practical skill, so you only acquire it by doing – through trial and error.
Why not get started becoming a pentester by learning penetration testing online?
Through these courses you’ll be able to acquire both the hard and soft skills you need to afford you an entry into this profession.
You’ll get to learn from expert and experienced pentesters who’ll teach you just what you need.
So you’ll get to save time by just focusing on the important skills and ignoring everything else.
I hope this guide on how to become a penetration tester opened your eyes as to what you need to do to become a pentester.
Are you already an ethical hacker or are looking to become a penetration tester?
Please share your experience in pentesting in the comments below.